* Posts by NickHolland

11 posts • joined 7 May 2010

Inside OpenSSL's battle to change its license: Coders' rights, tech giants, patents and more


no. The issue is not "the" license, nor the change of the license.

The issue is the way the license is attempting be changed.

One person can not say, "I want to change the license, and if you don't respond, I'll take it as approval".

There are right ways and wrong ways to do this. Some years ago, the OpenBSD project wanted to clean up the licenses on the entire distribution, as there were lots of little things with sloppy (or no!) licenses. They worked to contact EACH author, and they either got clear permission to change or REMOVED THE CODE (sometimes replaced, sometimes not). While benefits of making the change were explained, the license is the choice of the original author, period. Lots of problems were found -- missing contact info, people who had died, people who didn't want to change...and all those situations were respected.

Authors of code put their intended license on the code. If they change their mind, great. Others may attempt to persuade them to change, but the decision needs to remain with the author. If they wish to use the most gawd-awful license, THAT'S THEIR CHOICE.


RSA asks for plaintext Twitter passwords on conference reg page


Re: Well it's RSA

... and don't forget their 2011 security breach pretty much negated the second-factor part of their "Two Factor Authentication" solutions.


FLASH better than DISK for archiving, say academics. Are they stark, raving mad?


more than one way to fail ...

They seem to feel there is only one or two ways flash fails -- excessive writes on a cell and fading of data. By this measure, CPUs, RAM and other electronic chips should NEVER fail, as they are subject to neither. Real world shows otherwise, of course.

I've heard too many reports of flash and SSD failures way too early for excessive writes and data fading. I'm not seeing anything that makes me trust SSD more than spinning rust, except in physically harsh conditions. (sadly, I'm not sure new hard disks are going to live as long as older tech drives had in the past.)

Ten+ year storage guarantee? That sounds like the floppies that were made and sold with "lifetime guarantee", I'm sure there's NO assistance in recovering your data, NO liability for the lost data. Manufacturer suspects that in three years, you would rather buy a new drive with several times the storage rather than get your old drive replaced. I suspect this guarantee is rather hollow. And ... how do you tell how long something you invented last month is really going to last in the real world? Yes, you can tell me all about aging tests...but we have seen how well those actually work in real life.

And let's not forget tin whiskers and bad capacitors...seems not much is lasting very long anymore.


Snapper's decisions: Whatever happened to REAL photography?


Pitch for Pentax DSLRs

One digi SLR line that most people seem to miss is the Pentax K series. Not sure about the rest of the world, but very few people selling it in the US, but it is worth consideration for one reason: it uses ALL the old Pentax lenses. A $25 adapter gets you even the screw mount lenses. Supposedly an adapter is available for the medium format 645 lenses.

It is a blast working in a dark theater with a modern DSLR providing something like a 6400 ISO sensitivity with a 30+ year old f1.4 50mm lens. Can you get a f1.4 for your Nikon? Sure, but old Pentax lenses are laying around in people's attics.

Down side: sure, no auto-focus, but also no split-image prism for focus assistance, and those f1.4 lenses do need a precise focus. Manual exposure, too...but that can be good.


'A motivated, funded, skilled hacker will always get in' – Schneier


Re: "...a skilled hacker will alway get in..."

actually, I told my vehicle analogy to a long-time HR person (unionized rust-belt US -- I'm sure the answer varies depending on location), he immediately told me that 1) was the only answer: fire 'em. Retraining or reassigning is showing preferential treatment for those that screw up, this goes over very poorly.

And yes, bad policy usually does come above, it seems. Worked for a company with rigid "no wifi" rules...until one day the owner said, "I don't like all these wires on my desk" and demanded a wireless laptop. Now this guy was such a non-expert at computers that he had his sixty+ year old secretary start up and shut down his laptop every day...but he wanted wireless and anyone who said "no" would be promptly looking for a new job. And, he owned the company outright, so one could certainly argue he had the right to do that. Except ... it was an insurance company, which meant lots of personal and (hopefully) private information was stored on our computers. The choice was do what we know is wrong, or go try to do the right thing -- somewhere else? (and this guy wasn't going to spend the money for lots of protective technology, either).

That's why I say accountability is something that will help -- and this attitude of "you can't stop them" is only going to stop people from trying to stop them.


"...a skilled hacker will alway get in..."

In the common business model, where we rely on technology for protection, maybe. Probably, even. But we can do better. We HAVE to do better.

Our typical business security model is roughly equivalent to putting your front door on the side of the building and painting it purple, because no one will ever expect it there or to look like that. And stunningly enough, the average cyber thief is completely stumped by this, as they aren't overly clever (and are REALLY proud of themselves when they recognize the door on the side of the house, even though it is purple). Problem is...stopping 99.99% of the cyber-thief-wannabes is not enough when millions of attempts are being made...or one person wants your data really badly.

My other analogy is:

You run a business with a fleet of vehicles driven by your employees. A few of your employees are responsible for an unusual number of "events" with those vehicles. Do you:

1) Fire the employees?

2) Reassign them to non-driving jobs?

3) Train them to drive better?

4) Put bigger bumpers on the vehicles?

In the IT world, we just put bigger bumpers on the vehicles, the one thing that most people would consider the only WRONG answer.

I hate the statement "You can't achieve perfect security" -- while it may be true, it almost always is used as an excuse to not even try. Just because you may SOMEDAY make a mistake behind the wheel of a vehicle isn't an excuse to not try your best to drive safely, nor is it a vindication for those who perpetually put themselves and others at risk.

Technology can not counter stupid people and bad designs. You cannot take a horribly insecure applications and rely on technology to make them "safe". You cannot antivirus/firewall/technology your way to security. Yet that's all we do.

And yet, that's what we do. We implement bad designs, let untrained people have access to things they shouldn't, and managers offer to terminate and replace any IT person who has the guts to say, "that's a bad idea from a security standpoint".

Realistically, security is almost never the first priority. In fact, it is usually close to dead-last, behind convenience, cost, something to stuff on my resume, and coolness.

I used to work for a large company which had a rigorous set of criteria for company-network connected smart phones. At the time I started, only the Blackberry came close to meeting the requirements (central manageability, remote wipe, full encryption, among others). We heard word that the CIO personally owned five iProducts. Those of us at the grunt level knew what was coming, and sure enough, it did: iProducts were to be permitted onto the company network, even though they didn't (yet) meet most of the security /requirements/ for attachment, and our job was to figure out how to make the new iProducts as unbad as we could make them, not say "we got bigger problems we need to solve first before you give us new problems".

We can do much better than we have. Step one will probably be liability for the people who allow data out. Not "We followed all these compliance steps so it isn't our fault" -- doesn't matter, YOU collected the data, you retained the data, you lost the data, IT IS YOUR RESPONSIBILITY. Simple.

Yes, I'm saying Schneier is wrong on this, and that puts me on the wrong side of a lot of people. But I feel he is. Can we make something 100% "secure"? Probably not. But we always need to try. And we can't take the totally full-a**ed attempts we've been making at something pathetically called "security" and say, "See? It doesn't work!".

We can't keep using the same insecure apps, no matter how "common". We can't keep using bad designs. We can't keep letting untrained, ignorant people play with dangerous tools like computers, and we can't keep taking a "Security Last" approach to design.


What's happened since Beijing's hacker unit was exposed? Nothing


Re: This will never end.

right. it won't...

You can look at the likelihood of a crime happening based on the risks to the perpetrator (getting caught or harmed in the attempt), the rewards (profit) to the perpetrator, and the costs to implement (difficulty).

Computer crime is almost completely risk free. The rewards can be huge. The only deterrent is the difficulty (cost) to do it. As long as it is as easy as it is...it will be happening.

And...it is getting EASIER and more profitable, and is likely to continue in that trend.


Crypto guru: Don't blame users, get coders security training instead


In the IT world we tend to put untrained users on potentially hazzardous tools, then expect technology to make those tools "safe"... and then wonder why things go wrong.

Why does much of the world insist upon driver's training and testing before being allowed to drive a car on public roads? Because it helps. Does an educated driver eliminate all accidents? No, but it improves the situation.

CLEARLY, throwing technology alone at security is not working. We've been trying this for well over 20 years and the situation is getting WORSE, not better. Maybe it IS time to try education in addition to "improved" technology.

The usual response I get to this idea is, "education doesn't work!", my reply is, "it has never been seriously tried".

All the "education" attempts I have seen are based on chanting of rules, which attackers can then use as tools of their own, not true understanding of how the Internet actually works, and how it is used against us. Even the "advanced" security training starts from a premise of "you can't stop them", which I reject -- for the most part, we haven't seriously tried.


Seagate triples up heads/platter ratio


additional mass: bad.

Here's the problem: the additional heads and supporting mechanism adds mass to the seeking parts, which slows random seek times unacceptably. The goal is to reduce the mass of the randomly moving parts as much as you can.


A new wave in data center cooling?


questions/comments for round two...

Overall, I'm quite excited by the ideas of liquid immersion cooling, though I see a few issues:

Something about the two-phase cooling bothers me. Today, sure, breathing in the vapors of this fluid is harmless. What will we do next year if we find out the stuff is slightly toxic ("I gotta rebuild my entire infrastructure?"), or in a decade or two as I'm tugging around an oxygen bottle? I'd feel a lot more comfy with a low-tech, long-history substance... (my home's yard is contaminated by one of those miracle products of the past: PCBs..which, curiously were also a cooling fluid, so I'm a bit touchy about this!). I'm not sure I can be convinced that exposure to some new chemical, no matter how fascinating and useful its properties are, is harmless, but give it a shot, I'm listening.

One nice thing about old fashioned air cooling is I can stack machines floor to ceiling. Seems any form of immersion cooling will require vertical removal and insertion of parts "stacked" horizontally, which will probably limit the stacking to one or at the most two devices high, at least for applications which require that broken systems be replaced moderately soon and without impacting other systems. I suspect SOME of the potential density improvements would be negated by this. (on the other hand...the space required around a conventional rack (front and back) is pretty non-trivial, too.)

What about disks? I am sure many will say "SAN!" and leave it at that, but you still have an air cooling issue for the SAN, and much of the magic of liquid immersion is the almost complete elimination of active cooling equipment. I know you don't want to have the spinning platters in liquid, and I know traditional disks have vents to (at least) equalize their internal pressure...but could a conventional disk drive be practically made in such a way that it could be immersed along with its computer? I'm thinking either rigid enough case and seals to withstand the pressure of immersion and the reduced pressure of flying in a airplane cargo hold or a vent that could be sealed before immersion (don't screw up and forget to seal it!)


transformer oil

The big problem is the "ick" factor when you have to service something. Transformer oil would be particularly icky. Mineral oil (i.e., baby oil without the perfume) would be somewhat less annoying, but I still don't think I'd want to service a machine that was pulled from a vat of mineral oil dressed in office work attire.

I looked at a few discussions on liquid immersion cooling, one thing people keep missing is that almost ANY fluid is many, many times better at removing heat than air is. You don't need the optimal heat transfer characteristics, you want the optimal OTHER characteristics -- cheap, non-toxic, non-conductive, non-corrosive, likely to stay in its container, not harmful if it escapes its container, long-term stable in this environment, inert with regards to any of the materials used to fabricate the submerged parts, not likely to absorb anything that would change any of the above (i.e., distilled water is non-conductive, but that would likely change as dust and salts from human skin, etc. was dissolved into it over use..not to mention the residues on the products submerged into the water). The fact that it is a fluid almost guarantees superior heat transfer over free or forced air.

In this case, though, the phase change from liquid to gas absorbs a lot of extra heat from the product, and helps put an upper limit on the temp that any part will reach, which would not be true for fluid-only solutions.



Biting the hand that feeds IT © 1998–2017